Showing results for 
Search instead for 
Did you mean: 

Network upgrade - Router and Firewall?

I am planning on upgrading our 1 VLAN, switched  network. Just to note I am aware of, that some of the equipment I am  thinking of is EOL, but I guess they are still a pretty good piece of  equipment for currently very little money!?

For the main  office I had a redundant collapsed core/distribution & access  infrastructure layout (WS-C4500X & 2960S) in mind with probably a  separate redundant "server farm" segment (probably 2x 3560X or 3750X  Layer 3 - sorry but nexus is way too expensive for the moment).

Note: A lot of large customers we  are dealing with/tendering for work with (local authorities and some  state owned utility companies) would have a similar larger setup and to put us into a better position going forward I have put in an upgrade request with board of management.

The switches will be all interconnected via SFP+

We are also planning on opening a  new site office shortly which I want to connect via a Site-2-Site VPN  Tunnel to the main office. No leased lines or Frame Relay/MPLS  connection are planed, both sites will have an ethernet based broadband  connection for the moment

I was going to get either a 2691 or a  3725 with AIM-VPN/EPII-PLUS and IOS AdvSec/AdvIPServ for the main  office and a 2621XM with AIM-VPN/BPII-PLUS and IOS AdvSec for the site  office to create/and setup the VPN and also to be able to avail of the  IOS Firewall services. You can get them quite cheap with 1, up 2 to year hardware exchange warrenty at the moment!

The main office will hopefully -  eventually - get also a redundant ASA with 2 different ISPs upgrade -  part of the above mentioned network upgrade request.

My question now: I am not too sure  now, where to best plan in the main offices Router/Firewall? What devide should comes first/last - going out to the Internet. Or does it not matter? Router first, the Firwall last or the other  way around? I have seen different network diagrams example on the  internet showing either way. What are the differences, pros and cons?

The Routers main responsibility was to be to do the NATing & VPNing.

For the site office the 2621XM will  also - always - act as the main firewall. The router for the main office  will act temporarily only as a firewall until it will be replaced by  the redundant ASA.

Would it be better practice/securer  to have the VPN coming in after the firewall or before - to have the VPN  traffic packets inspected as well!?

Obviously what ever device does the NATing, needs to be sitting last! ASA could do the NATing as well!?

Or would it make sense to keep both  in place, to get a second router for the main office for the redundant  ISP connection (when the ASA is installed and setup) and have some sort  of Perimeter network and use ASA and the router firewall at the same  time?

Any thoughts, suggestions, tips and recommendations would be really appreciated

Regards from Ireland


Everyone's tags (3)
VIP Advisor

Network upgrade - Router and Firewall?

If you are considering an ethernet based broadband (assuming ethernet drop), why dont you put in a dedicated FW, that can provide VPN/NAT and other security related functionality, rather then a router with a NM?

Please remember to rate useful posts, by clicking on the stars below.


Re: Network upgrade - Router and Firewall?

A couple of diagrams would help support your question a lot.

What is the connection to the ISP like? BGP?
How much redundancy do you need?
Will you use an IGP?
Is this for a nonprofit? The hardware you are citing is really old.

The very basic would be an ASA that has a static default route to your ISP, does NAT, VPN, firewalling, and your IGP.

Any more advice would require more info about what you need.

Sent from Cisco Technical Support iPhone App

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards